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AO 442 (Rev. 11/11) Arrest Warrant 


UNITED STATES DISTRICT COURT [Fitep By... JAO._DG 


for the 
Feb 8, 2021 


Northern District of Ohio 


ANGELA E. NOBLE 
CLERK U.S. DIST. CT. 
5.0. OF FLA. - Miami 





United States of America 


vV. ) 
ALLA WITTE, aka MAX ) ase N ; 
. 1320 CR 440 % 
) 
ae 1:21-2236-MJ-OTAZO-REYES 
ARREST WARRANT | 


To: Any authorized law enforcement officer 


YOU ARE COMMANDED to arrest and bring before a United States magistrate judge without unnecessary delay 


(name of person to be arrested) ALLA WITTE, aka MAX 
who is accused of an offense or violation based on the following document filed with the court: 


@ Indictment [1] Superseding Indictment [1 Information Cl Superseding Information © Complaint 


[1 Probation Violation Petition [1 Supervised Release Violation Petition [1 Violation Notice (© Order of the Court 


This offense is briefly described as follows: 


18 USC § 371 Conspiracy to Commit Computer Fraud and Aggravated Identity Theft 
18 USC § 1349 Conspiracy to Commit Wire and Bank Fraud 
18 USC § 1343 Wire Fraud 

18 USC § 1344 Bank Fraud 

18 USC § 1028A(a)(1) Aggravated Identity Theft 

18 USC § 1956(h) Conspiracy to Commit Money Laundering 


Date: & | [3[3O ~~ 


City and state: Cleveland, Ohio 





This warrant was received on (date) OY-\4- TOO , and the person was arrested on (date) 
at (city and state) 


Date: 


Arresting officer's signature 


Printed name and title 
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FILED 
AUG 13 2029 


CLERK U.S : 

~U.S, DIS 
NORTHERN DISTRICT OF CURT 
CLEVELAND OF OHIO 


IN THE UNITED STATES DISTRICT COURT 
FOR THE NORTHERN DISTRICT OF OHIO 
EASTERN DIVISION 





UNITED STATES OF AMERICA, INDICTM EN 


. ‘ 


Lad Nd hee 4S had Whe! | 





‘Plaintiff, 


@ 
CASE NO. 
Title 18, United States Code, 
Sections 371, 1028A(a)(1), 1030, 
1343, 1344, 1349, 1956(h) and 2 





ALLA WITTE, 
aka MAX, 


Defendants. 





) 
) 
) 
) 
) 
) 
) 
y. 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 
) 


GENERAL ALLEGATIONS 


At all times relevant to this Indictment: 


<= 








BE 8004 Wire, oko MAX; SE onc ochers 


presently known and unknown to the Grand Jury (heremafter referred to as the (“Trickbot . 


ety 
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Group”) were participants in a criminal scheme to defraud, and were located in or around Russia, 
Belarus, Ukraine and Suriname. 
DEFINITIONS 

De “Malware” was malicious or intrusive — designed to disrupt computer 
operations, gather sensitive information, gain access to private computer systems, or commit 
other. unauthorized actions on a —e system. Malware was installed on a computer without 
the knowledge or permission of the owner. Common examples of malware included viruses, 
worms, trojans, keyloggers, and spyware. 

4 A “trojan” was a type of malware which masqueraded asa routine download 
request or as an opportunity to download files of interest to the user in order to persuade the 
victim to install it. Many trojans, mcluding the Trickbot Trojan’ discussed below, acted as an, 
unauthorized access point to the victim computer that allows an unauthorized computer to access 
and communicate with the nfected computer. 

4, Keystroke logging was the action of recording (or logging) the keys struck ona 
keyboard. This action was usually done surreptitiously by a computer program (ie., keylogger) 
to capture the keys typed on a computer without the typist’s knowledge. Malware that used 
— logging would often provide the captured keystrokes to the individua | who caused the 
malware to be installed or toa place designated by that individual. Through keystroke logging, 
individuals were able to obtain online banking credentials as soon as the user of the infected 


computer logged into their account. After obtammg this information, these individuals could 


I For purposes of this Indictment, the terms “Trickbot,” “Trickbot malware” and “Trickbot 
Trojan” are used interchangeably and all refer to the same suite of malware tools used by the 
Defendants. 
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then access the victim’s online bank account and execute unauthorized electronic funds transfers 
(EFT), such as Automated Clearing House (ACH) payments or wire transfers,” to accounts that 
they controlled. | 

5. “HTTP” (“Hypertext Transfer Protocol’) _ the protocol used to transfer data 
ser the internet. The primary function of HTTP was to establish a connection between 
computers and servers on the internet to transfer information, including web pages and 
downloadable files, seats internet-connected servers to computers using mternet browsers. 

6. “HTTP GET” was a command in HTTP that allowed a user to request information 
from a web server. An example of an HTTP GET command would be to enter a bank URL in 
the address bar of an internet browser, which would then send a request for mnformation about the 
bank web page to the corresponding web secver. 

f. “HTTP POST” was a command in HTTP that allowed the user to interact with 
and update information ona web server. An example of an HTTP POST command would be 
when a user who is already on a bank web page entered information on that page, such as their 
online credentials, and thus interacted with the web — itself. 


8. “Web injects” introduced (or injected) malicious computer code into a victim’s 


web browser while the victim browsed the internet and “hijacked” the victim’s imternet session. 


2 EFT were the exchange and transfer of money through computer-based systems using the 
internet. ACH payments allowed the electronic transferrmg of funds from one bank account to 
another bank account within the ACH network without any paper money changing hands. The 
ACH network was a network of participatmg depository financial mstitutions across the United 
States, and the network provided for mnterbank clearmg of electronic payments. Because ACH 
payments required the network to clear the transaction, the funds were not immediately 

available. Wire transfers also allowed electronic transferrmg of funds from one bank account to 
another bank account without any paper money changing hands; however, unlike ACH 
payments, wire transferred funds were immediately available. 
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Different injects were used for different purposes. Some web injects were used to display false 
online banking pages into the victim’s web browser to trick the victim into entermg online 
banking information, which was then captured by the individual employing the web inject. Web 
injects often interacted with HTTP GET and HTTP POST commands. | 

9. - A “botnet” was an interconnected network of computers infected with malware 
without the knowledge of the computers’ users that was controlled by a remote party, often 
referred to as a “botherder,” who does not have authorization to control the computers on the 
network. 

10. A “bot” was one of the infected computers that was part of a botnet and controlled 
by aremote party who does not have authorization to serie’ the computer. For a of this 
Indictment, all “bots” were infected eateries and all infected computers were bots. 

ll. A “command ane control server” was a centralized computer that issues 
commands to the baie in a botnet and receives reports — from the bots. “Command and 
Control’ (C2) infrastructure consisted of servers and other technical infrastructure used to 
control malware in general and, in particular, botnets. Command and control servers could be 
either directly controlled by the malware —_— or themselves run on hardware compromised 
by malware. | 

12. A “virtual — network” (VPN) was a technology that created — 
network connection over a public network such as the internet or private network owned by an 
Internet Service Provider. By using a VPN, a user can conceal his true IP address from those 


with whom he is communicating. 
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13. A “loader” was a term used for a basic remote access trojan. The loader is 
designed to install additional malware components onto a victim computer and to evade 
detection by —— programs. 

14. A “worm” was a term used to describe the process of malware moving laterally 
within a network, replicating itself from an initial mfected computer to other computers on a 
network to diversify a malware’s footprint on an infected network. 

15. Two-Factor Authentication was a common security feature used by web-based 
services that — confidential personal and online financial mformation, such as banks. Two- 
Factor Authentication required the use of two independent mechanisms to verify the authenticity 
and identity of the user. Examples of Two-Factor Authentication included the concurrent use of 
a password known by a user and an authentication token, such as a SMS code sent to the user’s 
telephone. 

16. Ransomware” was a type of malware designed to deny access to a victim’s 
computer and/or computer files until the payment of a ransom 

I7, A “Mule” or “Money Mule” was a person who received stolen funds into their 
bank account, and then moved the money to other accounts, often overseas. 

18. A “Malware Manager” was a member of the scheme generally responsible for 
recruiting and hirmg “Malware Developers” (as that term is defined below), procuring 
infrastructure, managing finances, testing malware against CAV services, and deploying and 
monitormg the malware. 

19. | A “Malware Developer” was a member of the scheme generally responsible for 


writing the software code for the malware and updating it over time. Malware Developers would 
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also set up the “backend infrastructure” of the malware, including setting up and updating the 
servers procured by Malware Mananers, 

20. — “Phishing” wasacriminal scheme in which the perpetrators used _ email 
messages and/or fake websites to trick people into providing information, such as network 
credentials (e.g., usernames and passwords), that could later be used to gain access to a victim’s 
systems. Phishng schemes often used social engineering techniques similar to traditional con- 
artist techniques in order to trick victims into believing they were providmg their information to 
a trusted vendor, customer, or other acquaintance. Phishing emails were also often used to trick 
a victim into clicking on documents or links that contained malicious software that then infected 
and compromised the victim’s computer system without their knowledge or permission. 

Zals | “Spear phishing” was a targeted form of phishing directed towards a specific 
individual, organization or business. Although often mtended to steal data for malicious 
purposes, cybercriminals also used spear phishing schemes to install malware on a targeted 
user’s computer. 

22. Social engineermg wasa skill developed over time by people who wanted to 

acquire protected information through manipulation of social relationships. People who were 
skilled in social engineering could convince individuals to divulge protected information or 
access credentials that the social engineer deemed valuable to the achievement of his or her aims. 

33, “Crypting” was the process of encrypting malware to avoid detection by anti- 
virus tools and software on victims’ computers. 

24. “Crypted” malware was subjected to crypting. 

Dy | “Counter Ant Virus” (CAV) services checked malware against anti-virus 


software to determine if the malware would be detected by the anti-virus software. CAVs did 
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not share and distribute uploaded malware files with anti-virus companies, but instead provided 
anonymity to malware developers and users. 

26. The following were financial institutions, withm the meaning of Title 18, Section 
20, United States Code, whose deposits were insured by the Federal Deposit Insurance 
Corporation (FDIC) (collectively, the “Financial Institutions”’): 

a. Buckeye Community Bank; — 
b. First National Bank; — 

c. Huntington National Bank; 

ae eA — Chase Bank; 

e. Key Bank; 

f. People’s United Bank; 

g. Regions Bank; and 

bh. U.S. Bank. 

27. ° CoBank was a fimancial imstitution within the meaning of Title 18, Section 20, 
United States Code, and was a system institution of the Farm Credit System, as defined in 
Section 5.35(3) of the Farm Crest Act of 1971. | 

28. Cooperating Witness 1 (CW 1) wasa public school district located in Avon, Ohio, 
in the Northern District of Ohio, Eastern Dien 

29. Cooperating Witness 2 (CW 2) was a public school district located in Akron, 
Ohio, in the Northern District of Ohio, Eastern Division. 

30. Cooperating Witness 3 (CW 3) was a real estate firm located nn North Canton, 

Ohio, in the Northern District of Ohio, Eastern Division. 


31. Cooperating Witness 4 (CW 4) was a country club located in Ripon, California. 
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32. Cooperating Witness 5 (CW 5) was a law firm location in Ft. Myers, Florida. 

33. Cooperating Witness 6 (CW 6) was a school district located in Bennington, 
Vermont. 

34. Cooperating Witness 7 (CW 7) was a country club located in Lynchburg, 
Virginia. 

35, Cooperating Witness 8 (CW 8). was an electrical service company located in 
Eastland, Texas. 

36.  Cooperatmg Witness 9 (CW 9) was a county government located in Tulare, 
California. 

a, Cooperating Witness 10 (CW 10) wasa staffing services company located n New 
York, New York. 

«38. Cooperating Witness 11 (CW 11) was an agricultural company located in 

Minnesota. 

39. Unless otherwise noted, all communications of Defendants and conspirators set 
forth in this Indictment were translated from Russian to English. 


THE TRICKBOT SCHEME TO DEFRAUD 
AO. “Dyre” was an online banking trojan operated by unknown individuals based in 


Moscow, Russia, that began targeting non-Russian businesses and entities m mid-2014. Inor 
around November 2015, Russian authorities purportedly arrested numerous individuals at 25th 
Floor, a Moscow-based film company associated with Dyre. Although Dyre seibctiy slowed 
significantly after the ——e Russian action, no charges against members of the Dyre network 
or 25th Floor were made public. In the months and years following the Russian authorities’ 


purported actions, the Dyre actors regrouped and created a new suite of malware tools known as 


“Trickbot.”” 
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Al. From in or around November 2015 and continuing through the date of this 


Indictment, Defendants i 











presently known and unknown to the Grand Jury, were part of a transnational organized 
cybercrime network and stole money and personal and confidential information from | 
unsuspecting _ including businesses and their financial institutions located in the United 
| States, United Kingdom, Australia, Belgium, Canada, Germany, India, Italy, Mexico, Spain, and 
Russia, through the use of the Trickbot malware. 

42. Specifically, the (hutendants and others worked to: (a) infect oe computers 
with Trickbot malware dertened to capture victims’ online ‘banking login credentials; (b) obtain 
and harvest other personal identification information, including credit cards, emails, passwords, 

dates of birth, social security numbers, and addresses; (c) infect other computers connected to the 
victim computer; (d) use the captured login credentials to fraudulently gain unauthorized access 
to victims’ online bank accounts at financial institutions; (e) steal funds from victims’ bank 
accounts and tndee those funds using U.S. and foreign beneficiary bank accounts provided and 
controlled by the defendants and —— and (f) mstall ransomware on victim computers. 

43. Members of the scheme were located in multiple countries around the world 
including, but not limited to, —n Belarus, Ukraine and Suriname. 

44. In order to perpetrate their criminal schemes, the Defendants used a network of 
associates who provided specialized services and technical abilities in furtherance of the criminal 


scheme. The specialized skills and services included soliciting and recruitmg malware | 
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developers; purchasing and managing servers from which to test, operate, and deploy the 
Trickbot malware; encrypting the malware to avoid detection by anti-virus software: engaging in 
spamming, phishng and semaines campaigns against potential victims; and coordmating 
the receipt and laundering of funds from the victims to the Defendants at others. 

45. The Defendants created Trickbot to further their criminal scheme. Trickbot was a | 
modular, multi-function suite of malware tools designed in part to automate the theft of 
confidential personal and financial mformation, such as online banking credentials, from mfected 
computers through the use of web injects and keystroke loggmg.. Later versions of Trickbot were 
adapted to facilitate the mstallation and use of ransomware. 

46. _ The Defendants used the framework and code from Dyre to establish the basis for 
the Trickbot malware, and used their connections to Dyre, and to others involved in the 
development and a of Dyre, to create. Trickbot. 

47.  Trickbot was designed to evade detection by anti-virus software and other 

utiwtine measures employed by victims and was generally spread through phishing and spear 
phishng campaigns. 

48. _Trickbot infected millions of victim computers worldwide. 

49. In the United States, Trickbot primarily targeted victim computers belonging to 
US. eT entities and individuals, including those within the Northern District of Ohio. 

50. | Once installed on a victim computer, Trickbot, in part, used web injects and 
keystroke logging to obtam and harvest onlme banking credentials from infected victim 
computers. The Defendants then used these credentials to gam unauthorized access to victims’ 
bank accounts and then transfer and attempt to transfer funds from the victims’ accounts to 


accounts controlled by the Defendants. 


10 
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51.  Trickbot began victimizing businesses, schools and individuals m the United 
States and elsewhere in the world in or around Fall 2016. 


THE DEFENDANTS DEFENDANTS 


citizen of Aa m =" Russia, and used the online monikers 


ae a Malware Manager responsible for recruiting and hirmg 


computer programmers to provide malware code for the Trickbot Group, procuring infrastructure 
for the Trickbot Group, such as servers, VPN and VPS providers, and testing Trickbot malware 
against counter anti-virus services. 


national and citizen of Russia. During the timeframe of this Indictment, Se resided 


was a Malware Manager and had roles and responsibilities in the Trickbot Group similar to 


and citizen of Russia. During the timeframe of the Indictment, PE :esicec in er 


Malware Developer for the Trickbot Group, overseeing the creation of Trickbot’s web injection, 





browser password grabber and bot creation codes, among others. 


55. Defendant aaa «:: a citizen and national 
of Russia. During the timeframe of this Indictment, PE -siaea m —— 
Russia, and used the online moniker aa |.:: a Malware Developer for 


the Trickbot Group, overseeing the creation of code used to document, maintain and control 


1] 
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infected computers in the Trickbot botnet, and of spamming software used by the Trickbot : 
Group to infect other computers. 


national of Russia. During the timeframe of this indictment [i resided in the 

rs and in a was a Malware Developer for the Trickbot 
Group, overseeing the creation of internet browser injection, machine identification, and data 
harvesting codes used by the Trickbot malware. 

“is Defendant ALLA WITTE, aka MAX, was.a national of Russia. During the 
timeframe of this indictment, WITTE resided in Suriname. WITTE was a Malware Developer 
for the Trickbot Group, overseeing the creation of code related to the monitoring and tracking of 
authorized users of the Trickbot malware, the control and deployment of ransomware, obtaining 
payments from ransomware victims, and developing tools and protensis for the storage of 


credentials stolen and exfiltrated from victims infected by Trickbot. 


58. Defendant was a citizen and national of 
Ukraine. During the timeframe of this indictment JE resided in 


PS v2: a Malware Developer for the Trickbot Group, responsible for developing 





remote networking code that allowed the Trickbot Group to remotely control infected victim 
computers used by the Trickbot Group. 
CO-CONSPIRATORS 
59. | Co-Conspirator 8 CC8”) was a Malware Manager who outlined programming 


needs, managed finances and deployed Trickbot. 


» 12 
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60. Co-Conspirators 9, 10, 11 and 12 (“CC9, CC10, CC11, CC12”) were Malware 

Developers and computer programmers for Trickbot. 
61. Co-Conspirator 13 (“CC13”) was a Malware Developer who provided completed 

modules of Trickbot malware to a others to be crypted. 
| 62. Co-Conspirators 14 and 15 (“CC14 and CC15”) were crypters who encrypted 
Trickbot malware in prevent its detection by anti-virus software. | 

63. Co-Conspirators 16 and 17 (“CC16 and CC17”) were spammers who deployed 
Trickbot malware _ spamming, phishing and spear-phishng campaigns. 

COUNT 1 | 
(Cons piracy to Commit Computer Fraud and heed Identity The ft, 
18 U.S.C. § 371) 

The Grand Jury charges: 


64. Paragraphs 1 through 63 of this Indictment are hereby re-alleged and mcorporated 


by reference as if fully set forth herein. 


The Conspiracy 


65. From in or around November 2015 through the date of this Indictment, in the 


Northern District of Ohio, Eastern Division, and elsewhere, Defendants a, 





Ue 
ti. and others.presently known and unknown to the Grand Jury, did 


knowingly and intentionally combine,’ conspire, confederate and agree to violate the laws of the 


United States, namely: 
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a. to intentionally access a computer without authorization, and thereby obtain » 
information from a protected computes, and the offense was committed for 
purposes of commercial advantage and private financial gain, in violation of 
18 U.S.C. §§ 1030(a)(2)(C) and 1030(c)(2)(B)(i); 

b. to intentionally and with intent to defraud access a computer without 
authorization and by means of such conduct further the tended fraud and 
btain something of value, pesitically money, in excess of $5,000 dollars in 

_ aone-year period, in violation of 18 U.S.C. §§ 1030(a)(4) and 1030(c)(3)(A); 

c. toknowmgly cause the transmission of a program, information, ile and 
command, and, as aresult of such conduct, intentionally cause damage 
without authorization to a protected computer, and the offense caused loss to 
One or more persons during a one-year period aggregating at least $5,000, in 
violation of 18 U.S.C. §§ 1030(a)(5)(A) and 1030(c)(4)(B); 

d. to knowingly cause the — of a program, information, code, and 

- command, and, as aresult of such conduct, intentionally cause damage . 
without authorization to a protected computer, and the offense caused damage 
affecting ten or more protected computers durmg a one-year period, in 
violation of 18 U.S.C. §§ 1030(a)(5)(A) and 1030(c)(4)(B); 

e. with intent to extort from a person money and other thing of value, to transmit 
in interstate and foreign commerce a communication contaming a demand and 
request for money or other thing of value in relation to damage to aprotected — 
computer, where such damage was caused to facilitate the extortion, m 


‘violation of 18 U.S.C. §§ 1030(a)(7)(C) and 1030(c)(3)(A); and 
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f.. knowingly possessing, wo and using, without lawful authority, a 
means. of identification of another person, durmg and mn ss to felony 
tstations of 18 U.S.C. §§ 1030, 1343, and 1344, to wit, Computer Fraud, | 
Wire Fraud and Bank Fraud, " violation of 18 U.S.C. § 1028A(a)(1). 

Object of the Conspiracy | 
66. The objects of the conspiracy included for the Defendants to: 

a. infect victims’ computers with Trickbot malware designed to capture victims’ 
online banking login credentials; 

b. obtain and harvest other personal identification information, including credit. 
cards, emails, passwords, dates of birth, social security numbers, and 
addresses; 

c. infect other computers networked with the initial victim computer; 

d. use-the captured login credentials to fraudulently gain unauthorized access to 
victims’ online bank accounts at financial institutions; 

e. steal funds from victims’ bank accounts and launder those funds using U.S. 
and foreign beneficiary bank accounts provided and controlled by 
conspirators; and | 

f. imfect victims’ computers with ransomware. 

Manner and Means ofthe a 
It was part of the conspiracy that: 
67: Bach Defendant provided specialized skills and filled specific roles in furtherance 


of the conspiracy. For example, some Defendants recruited and advertised for computer 
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programmers to develop the Trickbot malware, mostly on Russian-based freelancing and 
employment websites. 

68. The Defendants required potential recruits to demonstrate their computer 
programming abilities and suitability for the conspiracy | by assigning potential recruits computer 
programming tests designed to facilitate aspects of the Trickbot malware, including the use of 
web injects. 

69. The Defendants then provided those computer programmers that demonstrated 
sufficient proficiency with exsdenteils to access a private communication server through which 
the Trickbot Group distributed and received communications related to the development, 
maintenance and deployment of Trickbot. 

70. The Defendants developed and updated the Trickbot malware that, when installed 
on an infected computer, was designed to both receive commands and send information from the 
infected computer back to the Defendants. _ 

71. The Defendants crypted Trickbot to evade detection by anti-virus software and 
other protective measures used by victims. 

Te The Defendants leased access to servers from legitimate hostng companies using 
false and fictitious names. These servers were used to deploy, maintain and manage the use of 
the Trickbot malware. — 

i. The Defendants spread Trickbot through a campaign of spamming, phishing and 
spear phishing. The Defendants designed the emails used in these campaigns to falsely represent | 
that they were from legitimate companies, associations or organizations. 

74. The Defendants crafted the phishing emails to fraudulently entice a victim to open 


an attachment, such as a business invoice, or click on a hyperlink that falsely represented itself to 


16 


Case 1:21-mj-02236-AOR Document1 Entered on FLSD Docket 02/08/2021 Page.18 of 61 


be legitimate. When the victim clicked on the attachment or hyperlink, the victim’s computer 
was typically infected by Trickbot malware either embedded in the attachment or on a malicious 
domain connected to the hyperlink, without the dotin's consent, knowledge or authorization. 

75. The Defendants designed Trickbot, once it infected a computer system, to 
determine if the victim computer was connected to other computers on a network and then infect 
other computers to which the victim computer had access. 

| 76. The Defendants designed Trickbot to automate the theft of confidential personal 
and financial information, mcluding online banking credentials, by monitoring the victims’ use 
of their computer and then using keylogging or web injects to surreptitiously obtain and trick a 


user to enter personal and financial information. 


77. The Defendants used keystroke logging to steal victims’ online banking 
credentials when the victims logged. into their vette bank account from their infected computer. 

78. The Defendants also used web injects to display false onlme banking pages on the 
victim’s web browser that captured online banking information as the victim entered it and then 
transmitted the captured data back to the Defendants. 


79, To defeat multi-factor authentication and other protective means used by financial 


institutions to protect their clients, the Defendants monitored the internet activity of infected 
- computers to determine when the victims visited a anneal institution webpage. The 
Defendants then used captured confidential information of the victims and contacted the victims, 
posing as bank security personnel, to interact with victims and employees of victim businesses to 
deceive them into providing the Defendants with their multi-factor authentication codes. 
80. The Defendants further designed Trickbot to automatically detect, harvest and 


exfiltrate credentials and passwords stored in internet browsers on victims’ computers. 
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81. The Defendants used the confidential personal and financial informiation obtained 
by Trickbot to falsely represent to banks and financial institution that the Defendants and their 
co-conspirators were victims or employees of victims who had authorization to access the 
victims’ bank accounts and to make electronic funds transfers from the victims’ bank accounts. 

82. The Defendants then used the captured online oe credentials to pose as the 
victim and cause banks and financial institutions to make and attempt to make unauthorized wire 
transfers, ACH payments, or other electronic funds transfers from the victims’ bank accounts, 
without the knowledge or authorization of the account holders. 

83. The Defendants then used money mules to receive the wire transfers, ACH 
payments and other electronic funds transfers from the victims’ bank accounts. 

84. The Defendants then directed and caused the money mules to further transfer the 
stolen funds to reach the acess of other members of the conspiracy. 

85. The Defendants later used Trickbot as a service for other criminal efforts, 
includmg the deployment and use of ransomware. 

86. In order to achieve the objects of this conspiracy, the Defendants and their co- 
conspirators relied on several manners and means to evade detection by both victims and law 
enforcement. These efforts included: 

. using stolen credit cards and false credentials to pay for servers, domains, 
VPNs, and other infrasteneture: 

b. using multiple proxies to communicate includng the C2 server, nfected 
computers, commercial VPNs, and commercial proxies; 

c. encrypting emails and attachments, and communicating over an encrypted 


private messaging server; 
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d. using different monikers when communicating over different channels; 
e. regularly moving infrastructure and changing communication channels to 
avoid detection; and 
f. using U.S.-based and foreign — mules. 
Overt Acts 
87. In furtherance of the conspiracy, and to effect the objects thereof, the Defendants 

and — known and unknown to the Grand Jury, did commit and cause to be committed the 
following overt acts in the Northern District of Ohio, Eastern Division, and elsewhere. | 


J DEVELOPMENT, ADMINISTRATION AND MAINTENANCE OF TRICKBOT 





A. TRANSITION FROM DYRE TO TRICKBOT GROUP 


88. On or about November LL. 2015, obtained credentials to a private 
server used by the operators of the Dyre malware. Approximately a week later, members of the 
Dyre malware campaign were purportedly arrested by Russian authorities. a others 
transitioned their operation to the creation of a new malware based on the Dye framework. 

89. Beginning no later than on or about December 4, 2015, began 


communicating with the Trickbot Group about providmg administrative support to the Trickbot 


team, including recruiting other computer programmers and leasing server space on which to 
develop, maintain and deploy the Trickbot malware. 


B: ACQUIRING SERVERS, VPNS AND VPS SERVICES 
90. Beginning no later than in or around June 2015 through in or around April 2019, 


es: a PayPalaccount under his control to purchase VPS and VPN services from 
numerous hosting and anonymization companies in the United States, United Kingdom, 
Lithuania, Canada, Italy, Russia, the Netherlands and elsewhere, initially for the Dyre group and 


then later for the Trickbot Group. 
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91. On or about December 7, 2015, nnn and other Trickbot Conspirators agreed 
that i continue providing support services for Trickbot’s development and 
maintenance, and that he would continue “testing software” and “installing virtual machines.” 
92. On or about December 7, 2015, ss discussed with CC8 the need to rebuild 


their infrastructure following the collapse of the Dyre network as follows: 


You owe nothing to anyone; we just need to restore our work | 








a 
93 


“Paymer” checks? for the Trickbot Group and then provide those servers to members of the 






Everything got disrupted in one second 
We are restoring everything bit by bit 


Yes, it is hard work, but I am sure everything will be restored. Thank you 

again. I will do some work now. 

I hope that everythng will go through fe. A question about work -- can I order 
servers in advance? To avoid this rush 
























yes, that is how it will be 


the rush is now because of the technical collapse 


On or about December 9, 2015, agreed to rent servers that accepted 





Trickbot Group. 
94. On or about December 9, 2015, PE erced with the co-conspirators that he 
would register each server under a different account and email and was offered over 100 


different emails by a co-conspirator to achieve this goal. 


95. | Onor about December 11, 2015, WE purchased servers based in Russia for 
the Trickbot Group. Later that same day, CC9 instructed PE 0 x0 buy servers in Russia 


anymore and instead purchase them from other European countries. 


3 Paymer is an electronic software and hardware system designed to manage payment 
obligations in the form of electronic checks which are payable to the “bearer.”” Paymer was 
based in Russia. 
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96. Throughout 2016 PD 2intained a detailed record of server specifications, 
leases, and payments for servers he and other acquired for the development, maintenance and 
deployment of Trickbot. | 

«BT Beginning in or around January 2016 and eS 
discussing the need to acquire “fullz,” or full identifiers ininding name, date of birth, social 
security number and other identifiers, of Americans to conduct fraud on banks. 

98. . Onor about February 1, 2016, TT: discussed the need 
to use an ee server in their quest to obtam “fullz” so that “no one will discover that we 
are from Russia.” 

99. On or about February 2, 2016, fl a “They should say 
thank-you to us that we ste stealng money from the Americans we should get the Medal of 
Valor,” to which a replied “exactly.” | | 

100. | On or about February 29, 2016, a introduced to CC8, a 


leader of the Trickbot Group, in order for eo begin acquiring servers on behalf of 
the group. Be noted that CC9, CC10 and CC11 were “employees” of the Trickbot 
Group. | 

| 101. Begmning no later than in or around July 2016 and continuing through in or 
around December 2018, IS vsed a PayPal account under his control to purchase 


VPS and VPN services from numerous hosting and anonymization companies in the United 


States, Canada, Russia, the Netherlands and elsewhere, for the Trickbot Group. 
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C. HIRING COMPUTER PROGRAMMERS TO PROVIDE CODE FOR THE 
TRICKBOT MALWARE SUITE 


102. Beginning no later than in or around November 2015, the Trickbot Group began 
recruiting new programmers to rebuild their infrastructure following the purported Russian 
action against the Dyre group. 


103. Inor around January 2016 ee agreed to work for and jom the 


Trickbot Group. ) 
| 104. Onor about February 29, 2016, PE ::0duced ae CC8, a 
leader of the Trickbot Group, in order for | to begin recruitng computer 


programmers on behalf of the sroup. 
105. Onor about May 2 2016, nn. CC8 and CC9 agreed to purchase fee-based 
| anand to Russian and Deleriestn based job websites to gai access to resumes for computer 
| programmers looking for employment. 

106. Beginning no later than in or around March 2016 the Defendants devised a - 
recruitment notice for computer programmers to be used on a computer game website to search 
for potential malware desea. 
| 107. Beginning no later than in or around March 2016 the Defendants created a notice 
for a Russian-language job website that required potential applicants to demonstrate their 
computer programming skills by completing a “test” coding task, which required them to 
successfully program a web inject or other components necessary for the operation of Trickbot. 

108. Onor about May 4 and May 16, 2016, PN created the Gmail accounts 
ishteryakovruslan@gmail.com and department.ishteryakov@gmail.com to create accounts on 
job-listing websites and to use these accounts to communicate with potential — to the 


Trickbot Group. 
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109. Onor about May 4, 2016, PG: 0n:2c1e¢ CC9 to obtain an already-existing 
document showing an Individual Tax Winiber (ITN), the Russian equivalent of an Employee 
Identification Number, to use to obtain an account on the Russian-based job website. 

110. Onor about May 4, 2016, CC9 provided — with links to mages of 

existing companies based in Moscow to use for registering on the job website. 

111. -Onor about June 15, 2016, a provided CC9 with ihe access information 
for the department.ishteryakov@gmail.com —, on a job-posting site. 

112. Onor about June 30, 2016, PO and CC9 discussed the wording of a 
recruitment posting on the Russian-based job website. CC9 advised ae «0 not use the 
word “inject” in a job posting for a computer programmer because it was “dangerous” and 
— CC9 was concerned that postmg for “crooked vacanc[ies]” _ “likely to get us caught.” 
In the same conversation, CC9 instructed [J to “go ahead” and post the job posting. 

113. Onor about July 8, 2016, Pp provided CC9 with the access nformation for 
the department.ishteryakov@gmailcom account on the Russian-based job-posting site. 

114. Onor about July 26, 2016, ae a that a potential job 
candidate refused to complete the Trickbot test and stated, “a job applicant states that Chrome is 
a licensed software and it is illegal to alter, decompile, or change the source code for it. He ask 


if they are talking about Chrommm browser.” 


115. Onor about July 26, 2016, lS) responded to I n:css2ze and 


stated, “Yes|[.] Weare sorry for this error[.] We are talking specifically about Chrome. The job 
is not totally legal, but everything is very confidential and is executed via Jabber OTR. Be 
assured that all the work will be paid for and your activities will be safe. We have been working 


in this field for five years. [] Either way, it’s up to you. We are waiting for your reply.” 
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116. Onor about July 7, 2016, CC9 instructed ow to create a recruitment 


notice for a computer programmer for the Trickbot Group, cluding how to assess the computer 
programming test assigned to the recruit. CC9 further instructed JM to only talk directly 


to potential recruits about the injection code. 


D. RECRUITMENT OF > 


117. Onor about May 17, 2016, PI sec the 





department.ishteryakov@gmailcom email account to contact Po and separately sent 


| | an email from the Russian-language job site to send ee: test task for 


the Trickbot Group. 





118. Onor about May 19, 2016, I ce ceived the test task but later withdrew 
from consideration rine to technical problems with code for an mternet browser. 

119. Inor around July 2016 — fae for two additional positions with the 
Trickbot Group and received test tasks for both vacancies. | 

120. Onor about July 19, 2016, ae sent an email to the Trickbot Group at 


the department.ishteryakov@gmailcom email stating was having problems with 


the test task. That same day, IS provided PI sponse to CC8. 


121. Onor about July 21, 2016, ST -ompleted the task and sent the response 
to the Trickbot Group at the — ishteryakov@gmailcom email. In the email, 
Po noted that the program should be checked “when the antivirus is off as it can get 
angry with ‘injections’ during the process.” Attached to the emails were programs that modified 
the Google Chrome internet browser to snails the Trickbot Group to modify the HTTP GET and 
POST information from the browser and inject information into the internet session. This type of 


program was required for the Trickbot malware to intercept and harvest online credentials. 
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122. Onor about July 25, 2016 i and CC8 discussed 


application and completion of the test task. During the conversation, IH and CC8 noted 


that their test tasks were considered “blackhat” hacking. The text of the conversation follows: 


C8 WEN did the test task | 


g Who ebe did #7 : 


8 Why are you communicating with this one 


The main reason is that this functionality canbe used for illegal activities/ 
blackhat (formgrabbing, injects) \n Ido not do Blackhat 


plus, a cic not even do the test task 
Later ie changed his mind and 


in the evening. There is nothing to lose if 


Is aaa :s: task being checked? 


let him create a Jabber 


€) 
‘@ 





=. 
C2 














is ready to write 
writes, right? 













-. 


a_i | 
OQ OD 
CO . ore 


8 
CC8& I will contact him there 


CC8 until people finish the test task, do not exchange any Jabbers | 
C8 We need to stop communicating with idiots 


We are not in the main one, but in the external one. I got it. 





CC8 it does not matter, they sent the test task 


in short, describe the question they are asking, so I don’t have to bother you 
later 





CC8 If there is no result, we don’t communicate any more 


The majority understand that this is blackhat and asking for the commercial 
target . 


CC8 if they ask additional questions, this person is not suitable 





CC8 This is the gist 


A 
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Later that same day and CC8 continued the conversation as follows: 


Anyhow, send as many messages to programmers as possible 
50 per day to the new ones 











ee is already domg a good job) there are a lot of people 
We’ll find several decent epee 


123. Onor about July 25, 2016, a obtained credentials to a private 





Trickbot Group communications server. 


-E. RECRUITMENT OF | 
124. Onor about May 27, 2016 used the 


department. ishteryakov@gmail.com email to contact | and present him with a test task 
for the Trickbot Group. 
125. Onor about May 29, 2016, PD completed and returned the first Trickbot 
.Group test task, which required him to write a server application that simulates a SOCKS 
server’, 
126. Onor about May 30, 2016, PI used the 
department.ishteryakov@gmailcom to ask fF to complete a second task mvolving 


altermg a Firefox browser. 


‘ SOCKS is a protocol on the mternet that defines the method in which internet resources 
are requested from one computer to another. A SOCKS server would request data and then route 
the information back to the client. 
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127. Onor about June 1, 2016, PE completed the Firefox browser alteration 
and provided a Dropbox URL Inked to the completed task rm 


128. Onor about June 2, 2016, provided ae Dropbox URL to 


“CC9.” After CC9 reviewed the code, CC9 and ae in the following conversation 


CS 
Ce 
co (emai 
Ca 
CO | yell veka ys wl ven 
Co 
oo 
CC 
oO 
oOo 
— 
oOo 
Oo 
om | 



























S 
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We’ll manage it ourselves 














Sarde abo rion war 





Later that same ay and CC9 continued the conversation as follows: 








He’s capable of everything 


Such a person is needed. 


I’m afraid that he can tell the firm to go hell, or ask for more money. 


Well that’s something for the leadership to decide. — . 
His assignment is the usual kind. 
There’s nothing strange in it. | 


So he’s going to develop programs? | | 


Well, yeah. 


Well, in that case, that’s fucking great. | | 


129. Following this conversation, Pe 220 CC9 provided 


credentials and information to join the Trickbot Group and its private communication server. 
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F, DEVELOPMENT OF THE TRICKBOT MALWARE 

130. Inor around January 2016 Po obtained credentials for the Trickbot 
private server from his co-conspirators and began providing malware code to the Trickbot 
Group. | 

131. From no later than in or around February 2016 through the date of this Indictment 

PI provided computer code and technical support used in the development and 
maintenance of the Trickbot malware, including code that allowed the Trickbot Group to manage 
and control infected victim bots and code that facilitated spamming campaigns meant to infect 
victim computers with Trickbot malware. 

132. Onor about July 26, 2016, shortly ac credentials to the » 
private Trickbot communications server, Jn provided a file called 
“fnjector/module.rtf’ to the Trickbot Group. This file provided guidance to the Trickbot Group 
- how the malware would monitor the activity on infected computers and web inject into 
internet browser sessions. | | 

133. Onor about that same day, I provided a file to the Trickbot Group 


called “injector/inj.rtf’, which provided instruction to the conspirators on how to configure the 


injection files in the Trickbot malware. 

134. Onor stent July 27, 2016, PID »:oviaea code to be used in the Trickbot 
malware to the Trickbot Group, specifically a program called “splice.dll’ that related to the use 
of web injects and was critical to the operation of the Trickbot malware. 

135.  Onor about and between July 28, 2016, and June 1, 2018 and other 
- Trickbot Group members modified and updated the splice.dll code approximately 104 times, 


each update and modification consisting of a separate overt act. 
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136. Onor about July 27, 2016, a provided code for the mam Trickbot 
browser engine injection program, specifically focused on the Google Chrome browser, to the 
Trickbot Group. 

137. °‘Onor about and between July 27, 2016, and the date of this Indictment, 


_— ae other Trickbot Group members modified and updated the browser engine 





‘ieation code for Google Gham browser approximately 700 times, each update and | 
modification ‘consisting of a separate overt act. 
138. Onor about September 3, 2018, PI vices code to the Trickbot 
| Group for a module that allowed Trickbot malware to harvest stored passwords in web browsers 
and export them back to the Trickbot Group. 
139. Onor about and between Senter 3, 2018, and the date of this Indictment, 
— other Trickbot Group members modified and updated the sive -deneriiedl 
password harvesting module code approximately 150 times, each —_— and modification 
consisting of a separate overt act. | 
140. Onor about the dates listed below, EE submitted and caused to be 
submitted for counter anti-virus checks the above-described password harvesting module code to 
determine if anti-virus software would detect the code, each submission consisting of a separate | 
overt act: | 
a. April 30, 2019; 
b. May 3, 2019; and ~ 


-c. September 12, 2019. 
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141. Onor about and between F ebruary 24, 2017 and November 15, 2018, 
I > ovides and updated a file called “bot/cs2 proto.rtf’ to the Trickbot Group. This 
file provided guidance on the function and management of infected bots in the Trickbot botnet. 

142. Onor about September 19, 2016, iE communicated with a Trickbot 
co-conspirator regarding the provision of code needed for the Trickbot malware. 
143. On or about Sept 26, 2016, ae forwarded code oad for the Trickbot 


malware to the Trickbot Group. 


144. Onor about and between September 27 and October 2, 2016, re 





corrected a coding error in the Trickbot malware that affected Trickbot’s ability to identify and 
control infected computers (bots) in the Trickbot botnet and provided the corrected code to other 
members of the conspiracy. | 

145. On or about November 14, 2016, PD .viaine a copy of a file called “test 
cucTeMBI” (“system test”) from the Trickbot Group. This file was used for web injections and 
contained approximately 30 individual online banking URLs followed by an IP controlled by the 
Trickbot Group, which were later used by the Trickbot malware to trick victims mto entering 
their tenalides credentials into spoof banking websites controlled by the Trickbot Group. 

146. Onor about November 17, 2016, I submitted the “test cucTemsI’ file to 
an onlne counter anti-virus checker to determine if the program would be detected by anti-virus 
software. 

147. On or about February 10, 2017, provided computer code for the 
purpose of developmg a phishing and spam server used for the creation and management of 


malicious spam to the Trickbot Group. 


a 


Case 1:21-mj-02236-AOR Document1 Entered on FLSD Docket 02/08/2021 Page 33 of 61 


148. No later than on or about March 6, 2017 nd others obtamed an account 
for Dyncheck, on an online counter anti-virus service, for the purpose of testing the Trickbot 
malware against various anti-virus software. | | 

149. No later than on or about December 11, 2017, | gained access to 
the Trickbot _—— server. 

-150. From on or about December 11, 2017, through and including the date of this 
Indictment, vise coding support to develop a remote control module to 
_ allow the Trickbot Group to control a victim computer over the internet. 

151. Onor about — 10, 2018, the Trickbot Group registered an account with 

VirusCheckmate (“VCM”), another counter anti-virus checker that was advertised on well- 


known underground cybercriminal forums. 

152. Betweenin or around March and October 2018, the Trickbot Groh uploaded 
approximately over 43,000 files to VCM. Some of the files had names such as 
“HSBC deposit Confirmation-0”, “paypal’, and SHutliding Geoure Mesenge 

153. Onor about April 3, 2018, _ ees and "| a technical 
document concerning Trickbot’s operation to the Trickbot Group. 

154. Onor about October 2, 2018, WITTE gained access to the Trickbot development 
server. 

155. Onor about October 11, 2018, WITTE provided code used to manage - track 
authorized users of the Trickbot malware to the Trickbot Group. | 


156. Onor about December 17, 2018, WITTE created and provided to the Trickbot 


Group a video demonstrating how to use the Trickbot user tracking software. 


be 


Case 1:21-mj-02236-AOR Document1 Entered on FLSD Docket 02/08/2021 Page 34 of 61 


157. On or about May 6, 2019, ———=" provided additional development and 


support for the Trickbot code used to track and control infected computers to the Trickbot Group. 
158. Onor about and between August 19, 2019, and the date of this Indictment, 


po and other Trickbot Group members created and modified “mjector/Logs60.rtf,” 





which was a file that explained to members of the conspiracy how to exploit HTTP POST and 
HTTP GET information. 
159. Onor about and between October 2019 and the date of this Indictment, WITTE 
provided code to the Trickbot Group to operate and deploy the Trickbot ransomware module. 
This code included the following 

a. A webpanel used to operate the Trickbot — module, which 
included panels for “targets,” “bots” and “users” of the ve and 
contained code that automatically doubled ransom amounts if a victim did not 
= within a time period determined by the Trickbot Group; and » 

b. A web page used to inform victims that their computer was encrypted. with 
ransomware and to provide a Bitcom address used by Trickbot Group to 
obtain a ransom payment. The web page included the followmg language: 
“Your computer has been infected! Your documents, photos, databases 7 
other important filed encrypted. To decrypt your filed you need to buy our 
special software.” 

160. On or about and between September 30, 2019, and the date of this Indictment, 
WITTE provided -" to the Trickbot Group for a web panel used to access victim data stored in 
a database. The database contained a large number of credit card numbers and stolen credentials 


from the Trickbot botnet. This database also included a repository of mformation about infected 
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machines available as bots. WITTE provided code to this repository that showed an infected 
computer or ‘bot’ status in different colors based on the colors of a traffic light and allowed other 
Trickbot Group members to know when thei co-conspirators were working on a particular . 
infected machine. 

161. Onor about January 14, 2020, WITTE conducted internet searches for “laravel 
faker bitcom address,” a reference to creating ; fake Bitcom address to use to test the 
— payment system. 

162. On or about the dates listed below, — provided, modified and updated 
malware code for the Trickbot Group as follows, each modification or update consisting of a 


separate overt act: 





Description of Code 


July 2016 — | Modifications of Firefox Internet Browser : 
December 2016 | Machine Query that allows Trickbot to determine ,the description, manufacturer, 
eee name, product, serial number, version and root file directory contents of an 
infected machine . | 
August 2016 — | Grabs and saves browser name, ID, type, configuration files, (HTTP) cookies, 
history, local storage, & Flash Local Shared Objects/LSO (Flash cookies) from 


internet browsers. 























October 2016 — | Searches for; imports and loads files present m internet browser’s “profile” 
Present folders including cookies, storage, history, and Flash LSO cookies; also creates a. 
connection to the browsers’ databases to make queries, deletions and insertions. 


July 2016 — | Anexecutable app/utility used to launch & manage a browser. | 
Present : | 


July 2016 — | Harvestmg and modifymg data entries stored in Google’s (Chrome) LevelDB 
present database, includmg browsing history. 













LL. DEPLOYMENT OF TRICKBOT 


163. Begmning no later than October 2016 the Trickbot Group, from a location outside 


the United States, purchased and configured C2 servers that hosted malware and spam 
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campaigns and were used to host _ inject servers for eponiiel bank websites, and began 
_ deploying Trickbot malware to victims throughout the world. | 
164. No later than on or about January 31, 2017, aS and obtained a 
document entitled “cnam’”, which was Russian for “Spam.” Within the document’ were detailed 
instructions for ——- to: 
a. First obtam Trickbot malware from CC13; 
b. Second, provide the Trickbot malware to CC14 and CC15, who would encrypt 
‘the malware to prevent its detection by anti-virus software; and 
c. Third, provide the crypted malware to CC16 and CC17 to then deploy 
Trickbot through spamming, phishing and spear-phishng campaigns. 
165. Trickbot infected millions of victim computers worldwide, including im Russia, 
the United Kingdom, the United States, and the Northern District of Ohio, Eastern Division, and 
elsewhere, and gained unauthorized access to their computers, each constitutng a separate not in 


furtherance of the conspiracy, including the followin g: 


Location Approximate Dates of 
Infe ction 


October 6 — 20, 2017 









CW 10 New York, NY December 7, 2018 
CW 11 February 6, 2019 


All in violation of Title 18, United States Code, Section 371. 





me 
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COUNT 2 
(Conspiracy to Commit Wire and Bank Fraud, 18 U.S.C. § 1349) 


The Grand Jury further charges: 


166. The factual allegations of Paragraphs 1—63 and 88-165 of this Indictment are 
hereby repeated, re-alleged and incorporated. by reference as if fully set forth herein. 


167. From in or around November 2015 continuing through the date of this Indictment, 


in the Northern District of Ohio, Eastern Division, and elsewhere, Defendants fin 








and others presently known and unknown to the Grand Jury 





did knowingly and intentionally combine, conspire, confederate and agree with others to commit 
the federal offenses of wire fraud, which affected a financial institution, and bank fraud, that is: 
a. to knowingly and willfully devise and execute, and attempt to execute, a 
scheme and artifice to defraud, and for obtaming money and property by 
means of materially false and fraudulent pretenses, representations, and 
promises; and in executing and attempting to execute this scheme and artifice, 
to knowingly cause to be transmitted mn interstate and foreign commerce, by 
means of wire communication, certain signs, signals and sounds as further 
described herein, in violation of Title 18, United States Code, Section 1343; 
and 
b. to knowmgly and willfully devise and execute, and attempt to execute, a 
scheme and artifice to defraud a financial institution, as defined in Title 18, 


United States Code, Section 20, and to obtain moneys and funds under the 
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custody and control of financial institutions by means of materially false and 
fraudulent pretenses, representations, and promises, m violation of Title 18, 
United States Code, Section 1344. 
Objects ofthe Conspiracy 
168. The objects of the conspiracy included: 

a. using interstate and foreign wire transmissions to infect computers with 
Trickbot malware designed to capture victims’ online banking credentials and 
_— confidential personal and financial information: 

b. using the — banking credentials to pose as victims and gain access to 
victims’ online bank accounts at financial institutions in the United States and 
elsewhere; 

c. imitiatmg unauthorized wire transfers of victim funds held in United States 
financial mstitutions; wnt 

d. laundering stolen funds using United States and foreign beneficiary bank 


accounts controlled by the Trickbot Group. 


Manner and Means ofthe Conspiracy 


169. The manner and means used to accomplish the conspiracy are set forth in 
Paragraphs 67 through 86 of this Indictment and are repeated, re-alleged and incorporated by 
reference as if fully set forth herein. | 

170. In order to infect victims’ computer with Trickbot malware, the Defendants and 
conspirators known and unknown to the Grand Jury crafted and transmitted through the internet 


in interstate and foreign commerce phishing emails containing malicious hyperlinks or 
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attachments which, when clicked, downloaded and installed Trickbot malware onto victims’ 
computers without their knowledge or consent. 

171. Once mstalled on the victim computer, Trickbot malware captured the victims’ 
online banking login credentials and other confidential private and online banking information. 

172. fn order to fraudulently _— unauthorized access to victims’ online bank 
accounts, the Defendants, and —e known and unknown to the Grand Jury, used the 
victims’ captured online banking login credentials without authorization to falsely represent to 
banks that the Defendants aul their conspirators were victims or employees of victims who had 
authorization to access the bank accounts and to make electronic. funds tronafars from said 
accounts. 

Acts in Furtherance of the Conspiracy 

173. In furtherance of the conspiracy, and to effect the objects thereof, the Defendants 

and others known and unknown to the Grand Jury committed the followmg acts, among others, 


in the Northern District of Ohio and ehuwhers. 


174. Onor about the dates listed below, Defendants ee 





ES «250, 
ae. others, for purposes of executing the above-described scheme 


and artifice, which scheme affected a financial institution, caused to be transmitted by means of 





wire communications in interstate and foreign commerce the writings, signs, signals, pictures 


and sounds described below: 
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Approximate 
Amount of 
Wire/ Originating ' Destination 


Approximate 


Date Victim 


10/20/2017 


Atte = Location Location 





Ps, me 


$98,177 Avon, OH Community Bank, 
Lenexa, MO 
“iam OH Buckeye 
$98,373 Community Bank, 
Lenexa, MO 
Avon, OH Buckeye 
$175,789 Community Bank, 
Avon, OH Buckeye 
$98,727 Community Bank, 
“Login to CWl Buckeye 
- online banking Community Bank, 
account Lenexa, MO 


Login. to CW1 
online banking 
account and 
attempted wire a 
transfer of 
$691,570 








Buckeye 


Community Bank, 
Lenexa, MO 





















Turkiye 
Key Bank Cumbhurtyeti 
3/30/2018 $438,900 Solon, OH Ziraat Bankask, 
| Ankara, Turkey 
Turkiye 
Key Bank Cumbhuriyeti 
3/30/2018 $171,299 Solon, OH Ziraat Bankask, 
Ankara, Turkey 


Key Bank Bank of America 
3/30/2018 iid 5 $184,900 Solon, OH New York, NY 

Key Bank TD Bank, 
3/30/2018 CW 5 $79,450 Solon, OH Mt. Laurel, NJ 


Turkiye 
Regions Bank, Cumhurtyeti 


$485,200 Hoover, AL Ziraat Bankask, 


Ankara, Turkey 

Yapi Ve Kredi 

$479,500 — ar” Bankasi A.S., 
wentiens Istanbul, Turkey 
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Approximate 
Amount of 


Approximate Wire/ Originating Destination 


Victim 


Date Atte vi d Location Location 


balaas 18 


10/3/2018 





ec | 
Regions Bank, Denizbank A.S. 
a tabu, Tk 
Turkiye 
Regions Bank, Cumhurtyeti 
ae Hoover, AL Zraat Bankask, 
Ankara, Turkey 
Regions. Bank, QNB Fansbank 
aeiaaaie: Hoover, AL 
seabed "Tatler 
Huntington 
$230, 400 National ‘-“~ ws ~ re “mony 
Columbus, ae Sees 
tran 
sii 900. National Bank, Bank Soa ae 
Columbus, OH 
Huntington . 
- $154,200 National Bank, tua ar 
Columbus, OH 
Huntington 
$171,200 National Bask, 2 wa 
Columbus, ve te 
Waaier 
$84,200 National Bank, — eaten, 
Columbus, OH 
Huntington 
$44,900 National . B thin WY 
Columbus, cena 
ee Fio Banka, A.S. 
= 2/07/2019 —cWwll $198,370 Greenainnd, OG Prices Cass. 


CoBank, Caixabank, S.A. 

oe island ga Greenwood, CO | Barcelona, Spain 

CoBank, Caixabank, S.A. 

Minit chia ey i Dae Greenwood, CO Barcelona, Spain 


CoBank, Wells Fargo Bank 
2/07/2019 CW 11 $170,212 Creenwoed. CO San — 
no Sate 
| - 2/07/2019 CW ll $62,341 Hees, Swindon, United 
Greenwood, CO 
: Kingdom 
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Approximate 
Amount of 
Wire/ 
Attempted 
Wire 
Authorization 


| CoBank, Bank of America, 
ed _ 2/07/2019 CW Il $98,663 Girsenmoed, CO New York, NY 

























Destination 
Location 


Originating 
Location 


Approximate 
Date 

















See 
175. Onor about the dates listed below, Defendants See 


ox 
ae: others, for purposes of executing the above-described scheme 


and artifice to defraud the financial institutions listed below and for obtainmg money under the 











custody and control of said financial institutions, by means of false and fraudulent pretenses, 


representations and promises, obtained access to the online accounts and caused and attempted to 


cause fraudulent wire transfers as set forth below: 


ie 3 Approximate False Pretenses/ 
Date(s Institution Representations 


Unauthorized use of CW 4’s online 
12/12/2016 - U.S. Bank 


banking credentials and wire transfer of 
approximately $44,000 from U.S. Bank. 
10/17/2017 to 
10/19/2017 























Unauthorized use of CW 1’s online 
banking credentials and wire transfers of 
approximately $98,177; $98,373; 
$175,789; and $98,727 from Buckeye 
Community Bank. 











Buckeye 
Community Bank 
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Date(s Institution 7" Representations 
Unauthorized use of CW 1’s online 
banking credentials and attempted wire 
transfer of approximately $691,570 from 
Buckeye Community Bank. 
Unauthorized use of CW 5’s online 
banking credentials and wire transfers and 
attempted wire transfers of approximately 
$438,900; $171,299; $184,900; and 
$79,450 from Key Bank. , 
Unauthorized use of CW 6’s online 
banking credentials and wire transfers and 
attempted wire transfers of approximately 
$1,250,000 and $50,000 from People’s - 
United Bank. 
Unauthorized use of CW 7’s online 
banking credentials and wire transfers and 
attempted wire transfers of approximately 
$98,847 and $100,000 from First National 
Bank. | 
Unauthorized use of CW 7’s online 
banking credentials and attempted wire 
transfer of approximately $100,000 from 
First National Bank. 
Unauthorized use of CW 8’s online 
banking credentials and wire transfers and 
attempted wire transfers of approximately 
| $485,900; $479,500; $398,900; $398,900 
and $395,400 from Regions Bank. 
Unauthorized use of CW 3’s online 
banking credentials and wire transfers and . 
attempted wire transfers of approximately 
$230,400; $84,900; $154,200; $171,200; 
$84,200, $44,900 and $89,400 from 
Huntington National Bank. 
Unauthorized use of CW 10’s. online 
banking credentials and wire transfers and 
attempted wire transfers of approximately 
$800,000; $900,000; $890,000; and 
$950,000 from J.P. Morgan Chase Bank. 




















10/19/2017 to 10/- 
20/2017 


- 3/30/2018 Key Bank 
5/16/2018 


9/28/2018 
10/3/2018 


9/28/2018 


10/3/2018 
J.P. Morgan 
J 12/10/2018 Che Deaic 


Buckeye 
Community Bank 


























People’s United 
Bank . 

















First National 
Bank — 





















First National 
Bank 


















Regions Bank 













Huntington 
National Bank 
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The Grand Jury further charges: 


Approximate Financial False Pretenses/ 
Date(s Institution co ae Representations 


. Unauthorized use of CW 11’s online 
banking credentials and wire transfers and 
, attempted wire transfers of approximately 
seein niece $198,370; $73,411; $78,123; $170,212; 
$62,341; $98,663; $183,941; $193,112; 
and $194,312 from CoBank. 


All in violation of Title 18, United States Code, Section 1349. 












COUNTS 3-11 
(Wire Fraud, 18 U.S.C. § 1343) 


176. The factual allegations of Paragraphs 1 — 63, 88 — 165, and 174 — 175 of this 
Indictment are hereby repeated, re-alleged and incorporated by reference as if fully set forth 
hereim. 


177. From m or around November 2015 continuing through the date of this Indictment, 


in the Northern District of Ohio, Eastern Division, and elsewhere, Defendants} 


II 911.5 WITTE, aka MAX; and 
ee: others presently known and unknown to the Grand J ury 


devised a scheme and artifice to defraud victims of the Trickbot malware and to obtain money 








and property, which scheme affected a financial institution, by means of false and fraudulent 
pretenses, representations and promises, as described above in Paragraphs 40 — 51, 67 — 86, 88 — 
165, 170- 172, and 174 — 175. 

178. Onor about the dates listed below, for purposes of executing and attempting to 
execute the above-described scheme and artifice to defraud and to obtain money and property, 


, 
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which scheme affected a financial institution, Defendant: ln 









SS 902 0000, 0c 9. 


and others sent and caused to be sent by means of wire communications in interstate and foreign 


commerce the writings, signs, signals, pictures and sounds described below: 


Approximate | Description of Originating 





















Login and Buckeye. 
10/19/2017 Authorization for Community 
$98,177 Bank, 
| : Lenexa, MO. 

























| Login and Buckeye 
10/19/2017 Authorization for Community 
| $98,373 Bank, 
, Lenexa, MO 
















Login and Buckeye 
10/19/2017 Authorization for Avon, OH Community 
Bank, 
$175,789 | | 
Lenexa, MO 


Login and Buckeye 
10/19/2017 | Authorization for | Avon, OH Community 
Bank, 
$98,727 
Lenexa, MO 




















. Buckeye 
.Login to CW1 
ciemoi7 | ‘culne baring | “OMA | Ccmommmy 
account OH Bank, 
Lenexa, MO 














Approximate 
$438,900 wire Key Bank 
transfer from CW Solon, OH 


5’s bank account 





3/30/2018 
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Approximate | Description of Originating 
























Approximate am 
attempted 
3/30/2018 $171,299 wire . aan eC 
transfer from CW "a 
| 5’s bank account 


















Bank of 

America . 
New York, 
NY 


Approximate 
$184,900 wire 
transfer from CW 
5’s bank account 






Key Bank 
Solon, OH 






3/30/2018 
3/30/2018 


All in violation of Title 18, United States Code, Section 1343 and 2. 





















Approximate 
$79,450 wire Key Bank TD Bank, 
transfer from CW Solon, OH | Mt. Laurel, NJ 





5’s bank account 








COUNTS 12-31 
(Bank Fraud, 18 U.S.C. § 1344) 


The Grand Jury further charges: 
179. The factual allegations of Paragraphs 1 — 63, 88 — 165, and 174 — 175 of this 


Indictment are hereby repeated, re-alleged and mcorporated by reference as if fully set forth here. 


180. From in or around November 2015 continuing through the date of this Indictment, 


in the Northern District of Ohio, Eastern Division, and elsewhere, Defendants fF 








aaa 2x: others presently known and unknown to the Grand Jury 





having devised and intended to devise a scheme and artifice to defraud a fnancial mstitution, as 
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that term is defined in Title 18, United States Code, Section 20 and listed below, and to obtain 
monies and funds in the custody and control of the below financial institutions by means of 
material false and fraudulent pretenses, representations and promises, namely, the scheme and 
artifice described above in Paragraphs 40 — 51, 67 — 86, 88 — 165, 170 —172, and 174 —175 of 
this Teatiatinent well sewing at the time that the pretenses, representations and promises would 
be and were false and fraudulent when made, did knowingly execute and attempt to execute the 
foregoing scheme and artifice by gaming access to online bank accounts and causing, and 
attempting to cause, the transfer of funds, with each access, transfer and attempted transfer being 


a separate count as set forth below: 


| Approximate Financial whee 


Buckeye as , 
Login for CW 1’s Online 
12 10/17/2017 Community Bank, Baking Account 
: Lorain, OH 

-_ | Buckeye Approximate $98,177 wire 

13 10/19/2017 Community Bank, | transfer from CW 1’s bank 
| Lorain, OH account 

| Buckeye Approximate $98,373 wire 

14 10/19/2017 Community Bank, | transfer from CW 1’s bank 
Lorain, OH account 

Buckeye Approximate $175,789 wire 

15 10/19/2017 Community Bank, | transfer from CW 1’s bank 
Lorain, OH account 





Buckeye > Approximate $98,727 wire 
10/19/2017 Community Bank, | transfer from CW 1’s bank 
Lorain, OH account 
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17 
18 
19 
20 
pe | 
22 


23 






Key Bank, 


3/30/2018 
3/30/2018 


3/30/2018 
3/30/2018 


3/30/2018 
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Key Bank, 
Solon, OH 


Key Bank, 
Solon, OH 


Key Bank, 
Solon, OH 


Key Bank, 
Solon, OH 


Solon, OH 


| Approximate Financial et ae 


Buckeye 
10/19/2017 Community Bank, 
| Lorain, OH 
3 Buckeye 
10/20/2017 Community Bank, 
Lorain, OH 


Login for CW 1’s Online 


Banking Account 





Approximate $691,570 
attempted wire transfer from 
CW 1’s bank account 








Login for CW 5’s Online 
Bank Account 


Approximate $438,900 wire 
transfer from CW 5’s bank 
account 


Approximate attempted 
$171,299 wire transfer from 
CW 5’s bank account 


Approximate $184,900 wire 
transfer from CW 5’s bank 
account 


Approximate $79,450 wire 
transfer from CW 5’s bank 
account 
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Count 


Defendants Tetitation Description 


Huntington 
National Bank, 
North Canton, OH 



















Login for CW 3’s Online 
Banking Account 













10/03/2018 


10/03/2018 
10/03/2018 


10/03/2018 


10/03/2018 
10/03/2018 


nN 
pa 





WITTE 


rsa 
WITTE 


WITTE 


WITTE 

WITTE 

WITTE 
Po 







Huntington 
National Bank, 
North Canton, OH 


Approximate $230,400 wire 
transfer from CW 3’s bank 
account 





Ne 
Mn 





















Approximate $84,900 wire 
transfer from CW 3’s bank 


account 


Huntington 
National Bank, 
North Canton, OH 











Approximate $154,200 wire 
transfer from CW 3’s bank 
account 


Huntington 
National Bank, 
North Canton, OH 





nN 
~l 
















Huntington 
National Bank, 
North Canton, OH 


Approximate $171,200 wire 
transfer from CW 3’s bank 
account 


i) 
>) 













Approximate $84,200 wire 
transfer from CW 3’s bank 
account 


Huntington — 
National Bank, 
North Canton, OH 


bho 
\o 





ON 
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| Approximate Financial 


Huntington Approximate $44,900 wire 
10/03/2018 National Bank, transfer from CW 3’s bank 
North Canton, OH account 


Huntington Approximate $89,400 wire 
10/03/2018 National Bank, transfer from CW 3’s bank 
North Canton, OH account 





All in violation of Title 18, United States Code, Section 1344 and 2. 


| COUNTS 32 — 46 
(Aggravated Identity Theft, 18 U.S.C. §§ 1028A(a)(1) and 2) 


The Grand Jury further charges: 

181. The factual allegations of Paragraphs 1 — 63, 67 — 86, 88 — 165, 170 — 172, and 
174 — 175 of this Indictment are hereby repeated, re-alleged and incorporated by reference as if 
fully set forth herein. 

182. The term “means of identification,’ for purposes of this Indictment, means any 
name or number that may be used, alone or m conjunction with any other mformation, to identify 
a specific individual and includes any name, social security number, date of birth, and unique 
electronic identification code, address or routing code, including a credit or debit card netic or 
an online banking credential and password. 


183. On the dates noted below, in the Northern District of Ohio, Eastern Division, and 
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WITTE, aka VM: and others presently known and 


unknown to the Grand Jury, did knowingly use, without lawful authority, a — of 
identification of another person durmg and in relation toa felony violation enumerated in 18 
U.S.C. §1028A(c), . wit, the felony commission of Computer Fraud, a violation of Title 18, 
United States Code, Section 1030, Wire Fraud, a violation of Title 18, United States Code, 
Section 1343, and Bank Fraud, a violation of Title 18, United States Code, Section 1344, 


knowing that the means of-identification belonged to another actual person: 


"tee ; Approximate Dates of | 


~ 









10/17/2017 
Online Bank Account Access 


“a4 
nN 










10/17/2017 to 10/19/2017 
Approximate $98,177 wire 
transfer 


io) 
‘ad 










10/17/2017 to 10/19/2017 
Approximate $98,373 wire 


transfer 











10/17/2017 to 10/19/2017 
Approximate $175,789 wire 
transfer 


“ae 
Wn 


| ay : 
a fe fe |e |e |p 







10/17/2017 to 10/19/2017 
Approximate $98,727 wire 
transfer 





o 
Nn 
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sclbet : Approximate Dates of 
a | ae ___ Theft and Use 


10/19/2017 | 
Online Bank Account Access 


















Avon, OH 
Avon, OH 
North Canton, 
OH 
North Canton, 
OH , 
North Canton, 
OH 
North Canton, 
OH 





10/19/2017 to 10/20/2017 
Approximate $691,570,000 
attempted wire transfer 





10/03/2018 
Online Bank Account Access 





10/03/2018 
Approximate $230,400 wire 
transfer | 





10/03/2018 
Approximate $84,900 wire 
transfer 





10/03/2018 
Approximate $154,200 wire 
transfer 
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: : Approximate Dates of 


10/03/2018 
— Approximate $171,200 wire 
transfer . 
10/03/2018 
——- Approximate $84,200 wire 
transfer 








| | 10/03/2018 
enh eee Approximate. $44,900 wire 
OH 
transfer 


10/03/2018 
Approximate $89,400 wire 
transfer : 


North Canton, 
OH 


184. Members of the Trickbot Group knew, and had reason to know, that the 
information collected was from actual individuals because the means by which it was collected 
was specifically designed to require response and affirmative action by the victim to provide his 


or her own verification mformation. 
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185. Moreover, members of the Trickbot Group knew, and had reason to know, the 
online banking information was from actual individuals because the members successfully used 
the online banking credentials to gain access to online — accounts and initiate and — 
to initiate wire transfers of funds. 

All in viokttion of Title. 18, United States Code, Sections 1028A(a\(1) and 2, 


COUNT 47 ) 
(Conspiracy to Commit Money Laundering, 18 U.S.C. § 1956(h)) 


The Grand Jury further charges: | 

186. The factual floesttens of Paragraphs 1 — 63, 88 — 165, and 174 — 175 of this 
Indictment are hereby repeated, re-alleged and incorporated by reference as if fully set forth 
herein. 


The Conspiracy 


187. From in or around November 2015 through the date of this Indictment, in the 


Northern District of Ohio, Eastern Division, and elsewhere, Defendants [inn 








Ee 
Po and others presently known and unknown to the Grand Jury, did 


knowingly and intentionally combine, conspire, and agree with each other and with other persons 





known. and unknown to the Grand Jury to commit offenses against the United States in violation 
of Title 18, United States Code, Section 1956, to wit: 
a. toknowingly conduct and attempt to conduct financial transactions affecting 
interstate and foreign commerce, which transactions involved the proceeds of 


specified unlawful activity, that is, Wire Fraud, in violation of 18 U.S.C. 
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§ 1343, Bank Fraud, in violation of 18 U.S.C. § 1344, and Fraudulent Access 
to Computers, in violation of 18 U.S.C. § 1030, knowing that the transactions 
were designed in whole or in part to conceal and disguise the nature, location, 
source, ownership, and control of the proceeds a specified unlawful activity, 
and that while conducting and attempting to conduct such financial 
transactions, knew that the property involved in the financial transactions 
represented the proceeds of some form of unlawful activity, in violation of | 
Title 18, United States Code, Section 1956(a)(1)(B)(); 

b. to transport, transmit, and transfer, and attempt to transport, transmit, and 
transfer a monetary instrument or funds involving the proceeds of specified 
unlawful activity, that is, Wire Fraud, mn violation of 18 U.S.C. § 1343, Bank 
Fraud, in violation of 18 U.S.C. § 1344, and Fraudulent Access to Computers, 
in violation of 18 U.S.C. § 1030, from a place in the United States to or 
through a place outside the United States, knowing that the funds involved in 
the transportation, transmission, and transfer represented the proceeds of some 
form of unlawful activity and knowmg that such transportation, transmission, 
and transfer was designed in whole or in part to conceal and disguise the 
nature, location, source, ownership, and control of the proceeds of specified 
unlawful activity, in violation of Title 18, United States Code, Section 
1956(a)(2)(B)(i); and | 

c. toknowmgly engage and attempt to engage in a monetary transaction in 
criminally derived property with a value greater than $10,000, which property 


was derived from a specified unlawful activity, that is, Wire Fraud, in 
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violation of 18 U.S.C. § 1343, Bank Fraud, in violation of 18 U.S.C. § 1344, 
and Fraudulent Access to Computers, in violation of 18 U.S.C. § 1030, by, | 
through and to a financial institution and affecting interstate and foreign 
commerce, in violation of Title 18, United States Code, Section 1957. 
| Objects ofthe Conspiracy 
188. The objects of the conspiracy included for the Defendants to: 

a. obscure and disguise the ultimate recipients of the criminal proceeds of the 
Wire Fraud, Bank Fraud, and Fraudulent Access to Computers schemes to 
defraud —as discussed above in Paragraphs 40 — 51, 67 — 86, 88 — 165, 170 — 
172, and 174 — 175 — by laundering launder those funds using a network of 
money mules and wire transfers conducted under the guise of legitimate 
businesses; 

b. launder those criminal proceeds through U.S. and freien beneficiary bank 
accounts provided and controlled by conspirators; and | 

c. transfer money obtained from the Wire Fraud, Bank Fraud, and Fraudulent 


Access to Computers scliemes overseas for personal financial gain. 
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Manner and Means ofthe Conspiracy 


189. The manner and means used to accomplish the conspiracy are set forth in 
Paragraphs 67 — 86 and 170 — 172 of.this Indictment and are repeated, re-alleged and 
incorporated by reference as if fully set forth herein. 

190. The Defendants, and co-conspirators known and unknown to the Grand Jury, did 
conduct and attempt to conduct unauthorize d electronic funds transfers from victims’ online 
bank accounts at U.S. financial institutions into U.S. and foreign beneficiary bank accounts 
provided and controlled by the Trickbot Group. 

191. The Trickbot Group advertised and posted listngs for remote employment on job 
posting websites such as Indeed.com, LinkedIn.com and others. 

192. | The Trickbot Group created fictitious companies, such as “Liberty Shopping” and 
“Element Construction Group,” and created fraudulent websites for the companies to give the | 
impression that they were actual businesses which engaged in legitimate domestic and 
international transactions. 

193.. The Trickbot Group explained to potential employees that they would be required 
to receive funds and distribute them to investors and vendors of the seemingly legitimate . 
businesses. 

_ 194. The Trickbot Group instructed employees to open business banking accounts and 
further mstructed the employees on how to provide answers to financial institutions In opening 
the business banking accounts. 

195. The Trickbot Group would dex send funds consisting of criminal proceeds of 


Wire Fraud, Bank Fraud, and Fraudulent Access to Computers, to the employee’s business 
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— account, either through ACH, wire —" or other —— funds transfers, or 
through official check. 

196. Shortly after the funds were deposited into the employee’s — bank 
accounts, the Trickbot Group would imstruct the employee to initiate an electronic funds transfer 
to an — financial account created by and under the sata of the Trickbot Group. 
Eventunlly these funds were transferred to members of the Trickbot Group for their personal | 


enrichment. 


All mm violation of Title 18, United States Code, Section 1956(h). 
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FORFEITURE: COUNTS 1 -31 


The Grand Jury further charges: 
197. The allegations contained in Counts 1-31 of this Indictment are hereby re-alleged 
and incorporated by reference as if fully set forth herem for the purpose of alleging forfeiture 


pursuant to the provisions of Title 18, United States Code, Section 982(a)(2) and Title 18, United 


- States Code, Section 1030(4). Asa result of these offenses, Defendants nn 


shall forfeit to the United States: (i) any and all property 












constitutmg, or derived from, any proceeds they obtained, directly or indirectly, as the result of 
such offenses; and, (ii) any and all personal property that was used — or was intended to be used 


— to commit or to facilitate the commission of the offense charged in Count 1 of the Indictment. 
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FORFEITURE: COUNT 47 © 
The Grand Jury further — ) 
198. The allegations contained in Count 47 of this Indictment are hereby re-alleged and 
incorporated by reference as if fully set forth herein for the purpose of alleging forfeiture 


pursuant to the provisions of Title 18, United States Code, Section 982(a)(1). Asa result of this 








WITTE, aka MX shall forfeit to the United States all 


property, real and personal, involved in such offense, and all property traceable to such property. 


A TRUE BILL. 


Original document - Signatures on file with the Clerk of Courts, pursuant to the E-Government 


Act of 2002. 
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United States es et. al 


A TRUE BILL. 


FOREPERSON 






JUSTIYA E. HERDMAN 
United States Attorney 
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